Construct SAML id federation for Amazon OpenSearch Service domains inside a VPC

Amazon OpenSearch Service is a totally managed search and analytics service powered by the Apache Lucene search library that may be operated inside a digital non-public cloud (VPC). A VPC is a digital community that’s devoted to your AWS account. It’s logically remoted from different digital networks within the AWS Cloud. Inserting an OpenSearch Service area inside a VPC permits a safe communication between OpenSearch Service and different providers throughout the VPC with out the necessity for an web gateway, NAT system, or a VPN connection. All visitors stays securely throughout the AWS Cloud, offering a protected atmosphere on your information. To hook up with an OpenSearch Service area operating inside a personal VPC, enterprise prospects use one among two out there choices: both combine their VPC with their enterprise community by VPN or AWS Direct Join, or make the cluster endpoint publicly accessible by a reverse proxy. Confer with How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for an in depth analysis of the out there choices and the corresponding professionals and cons.

For managing entry to OpenSearch Dashboards in enterprise prospects’ environments, OpenSearch Service helps Safety Assertion Markup Language (SAML) integration with the client’s present id suppliers (IdPs) to supply single sign-on (SSO). Though SAML integration for publicly accessible OpenSearch Dashboards works out of the field, enabling SAML for OpenSearch Dashboards inside a VPC requires cautious design with numerous configurations.

This submit outlines an end-to-end answer for integrating SAML authentication for OpenSearch Service domains operating in a VPC. It gives a step-by-step deployment guideline and is accompanied by AWS Cloud Growth Package (AWS CDK) functions, which automate all the required configurations.

Overview of answer

The next diagram describes the step-by-step authentication circulation for accessing a personal OpenSearch Service area by SSO utilizing SAML id federation. The entry is enabled over public web by non-public NGINX reverse proxy servers operating on Amazon Elastic Container Service (Amazon ECS) for top availability.

The workflow consists of the next steps:

1. The person navigates to the OpenSearch Dashboards URL of their browser.
2. The browser resolves the area IP tackle and sends the request.
3. AWS WAF guidelines ensure that solely enable listed IP tackle ranges are allowed.
4. Software Load Balancer forwards the request to NGINX reverse proxy.
5. NGINX provides the required headers and forwards the request to OpenSearch Dashboards.
6. OpenSearch Dashboards detects that the request is just not authenticated. It replies with a redirect to the built-in SAML IdP for authentication.
7. The person is redirected to the SSO login web page.
8. The IdP verifies the person’s id and generates a SAML assertion token.
9. The person is redirected again to the OpenSearch Dashboards URL.
10. The request goes by the Steps 1–5 once more till it reaches OpenSearch. This time, OpenSearch Dashboards detects the accompanying SAML assertion and permits the request.

Within the following sections, we arrange a NGINX reverse proxy in non-public subnets to offer entry to OpenSearch Dashboards for a website deployed inside VPC non-public subnets. We then allow SAML authentication for OpenSearch Dashboards utilizing a SAML 2.0 software and use a customized area endpoint to entry OpenSearch Dashboards to see the SAML authentication in motion.

Conditions

Earlier than you get began, full the prerequisite steps on this part.

Set up required instruments

First, set up the AWS CDK. For extra info, consult with the AWS CDK v2 Developer Information.

Put together required AWS assets

Full the next steps to arrange your AWS assets:

1. Create an AWS account.
2. Create an Amazon Route 53 public hosted zone comparable to mydomain.com for use for routing web visitors to your area. For directions, consult with Making a public hosted zone.
3. Request an AWS Certificates Supervisor (ACM) public certificates for the hosted zone. For directions, consult with Requesting a public certificates.
4. Create a VPC with private and non-private subnets.
5. Allow AWS IAM Id Middle. For directions, consult with Allow IAM Id Middle.

Put together your OpenSearch Service cluster

This submit is accompanied with a standalone AWS CDK software (opensearch-domain) that deploys a pattern OpenSearch Service area in non-public VPC subnets. The deployed area is for demonstration functions solely, and is non-obligatory.

When you’ve got an present OpenSearch Service area in VPC that you just wish to use for SAML integration, apply the next configurations:

1. On the Cluster configuration tab, select Edit and choose Allow customized endpoint within the Customized endpoint part.
2. For Customized hostname, enter a totally certified area identify (FQDN) comparable to opensearch.mydomain.com, which you wish to use to entry your cluster. Word that the area identify of the supplied FQDN (for instance, mydomain.com) have to be the identical as the general public hosted zone you created earlier.
3. For AWS certificates, select the SSL certificates you created earlier.
4. Within the Abstract part, optionally allow dry run evaluation and choose Dry run or deselect it and select Save modifications.

In any other case, obtain the accompanied opensearch-domain AWS CDK software and unzip it. Then, edit the cdk.json file on the basis of the unzipped folder and configure the required parameters:

• vpc_cidr – The CIDR block by which to create the VPC. You might go away the default of 10.0.0.0/16.
• opensearch_cluster_name – The identify of the OpenSearch Service cluster. You might go away the default worth of opensearch. It’s going to even be used, along with the hosted_zone_name parameter, to construct the FQDN of the customized area URL.
• hosted_zone_id – The Route 53 public hosted zone ID.
• hosted_zone_name – The Route 53 public hosted zone identify (for instance, mydomain.com). The end result FQDN with the default instance values will then be opensearch.mydomain.com.

Lastly, run the next instructions to deploy the AWS CDK software:

cd opensearch-domain

# Create a Python atmosphere and set up the reuired dependencies
python3 -m venv .venv
supply .venv/bin/activate
pip set up -r requirements-dev.txt
pip set up -r necessities.txt

# Deploy the CDK software
cdk deploy

With the conditions in place, consult with the next sections for a step-by-step information to deploy this answer.

Create a SAML 2.0 software

We use IAM Id Middle because the supply of id for our SAML integration. The identical configuration ought to apply to different SAML 2.0-compliant IdPs. Seek the advice of your IdP documentation.

1. On the IAM Id Middle console, select Teams within the navigation pane.
2. Create a brand new group referred to as Opensearch Admin, and add customers to it.
   This would be the SAML group that receives full permissions in OpenSearch Dashboards. Be aware of the group ID.
3. Select Functions within the navigation pane.
4. Create a brand new customized SAML 2.0 software.
5. Obtain the IAM Id Middle SAML metadata file to make use of in a later step.
6. For Software begin URL, enter [Custom Domain URL]/_dashboards/.
   The customized area URL consists of communication protocol (https://) adopted by the FQDN, which you used on your OpenSearch Service cluster within the conditions (for instance, https://opensearch.mydomain.com). Look beneath your OpenSearch Service cluster configurations, if doubtful.
7. For Software ACS URL, enter [Custom Domain URL]/_dashboards/_opendistro/_security/saml/acs.
8. For Software SAML viewers, enter [Custom Domain URL] (with none trailing slash).
   
9. Select Submit.
10. Within the Assigned customers part, choose Opensearch Admin and select Assign Customers.
11. On the Actions menu, select Edit attribute mappings.
12. Outline attribute mappings as proven within the following screenshot and select Save modifications.

Deploy the AWS CDK software

Full the next steps to deploy the AWS CDK software:

1. Obtain and unzip the opensearch-domain-saml-integration AWS CDK software.
2. Add your non-public SSL key and certificates to AWS Secrets and techniques Supervisor and create two secrets and techniques referred to as Key and Crt. For instance, see the next code:

   KEY=$(cat non-public.key | base64) && aws secretsmanager create-secret --name Key --secret-string $KEY
   CRT=$(cat certificates.crt | base64) && aws secretsmanager create-secret --name Crt --secret-string $CRT

   You should use the next command to generate a self-signed certificates. That is for testing solely; don’t use this for manufacturing environments.

   openssl req -new -newkey rsa:4096 -days 1095 -nodes -x509 -subj '/' -keyout non-public.key -out certificates.crt

3. Edit the cdk.json file and set the required parameters contained in the nested config object:

• aws_region – The goal AWS Area on your deployment (for instance, eu-central-1).
• vpc_id – The ID of the VPC into which the OpenSearch Service area has been deployed.
• opensearch_cluster_security_group_id – The ID of the safety group utilized by the OpenSearch Service area or another safety group that permits inbound connections to that area on port 80 and 443. This group ID might be utilized by the Software Load Balancer to ahead visitors to your OpenSearch Service area.
• hosted_zone_id – The Route 53 public hosted zone ID.
• hosted_zone – The Route 53 public hosted zone identify (for instance, mydomain.com).
• opensearch_custom_domain_name – An FQDN comparable to opensearch.mydomain.com, which you wish to use to entry your cluster. Word that the area identify of the supplied FQDN (mydomain.com) have to be the identical because the hosted_zone parameter.
• opensearch_custom_domain_certificate_arn – The ARN of the certificates saved in ACM.
• opensearch_domain_endpoint – The OpenSearch Service VPC area endpoint (for instance, vpc-opensearch-abc123.eu-central-1.es.amazonaws.com).
• vpc_dns_resolver – This have to be 10.0.0. in case your VPC CIDR is 10.0.0.0/16. See Amazon DNS server for additional particulars.
• alb_waf_ip_whitelist_cidrs – That is an non-obligatory listing of zero or extra IP CIDR ranges that might be robotically enable listed in AWS WAF to allow entry to the OpenSearch Service area. If not specified, after the deployment you will want to manually add related IP CIDR ranges to the AWS WAF IP set to permit entry. For instance, ["1.2.3.4/32", "5.6.7.0/24"].

4. Deploy the OpenSearch Service area SAML integration AWS CDK software:

   cd opensearch-domain-saml-integration
   
   # Create a Python atmosphere and set up the required dependencies
   python3 -m venv .venv
   supply .venv/bin/activate
   pip set up -r requirements-dev.txt
   pip set up -r necessities.txt
   
   # Deploy the CDK software
   cdk deploy

Allow SAML authentication on your OpenSearch Service cluster

When the appliance deployment is full, allow SAML authentication on your cluster:

1. On the OpenSearch Service console, navigate to your area.
2. On the Safety configuration tab, select Edit.
3. Choose Allow SAML authentication.
4. Select Import from XML file and import the IAM Id Middle SAML metadata file that you just downloaded in an earlier step.
5. For SAML grasp backend function, use the group ID you saved earlier.
6. Increase the Extra settings part and for Roles, enter the SAML 2.0 attribute identify you mapped earlier if you created the SAML 2.0 software in AWS Id Middle.
7. Configure the area entry coverage for SAML integration.
8. Submit modifications and look forward to OpenSearch Service to use the configurations earlier than continuing to the following part.

Check the answer

Full the next steps to see the answer in motion:

1. On the IAM Id Middle console, select Dashboard within the navigation pane.
2. Within the Settings abstract part, select the hyperlink beneath AWS entry portal URL.
3. Register together with your person identify and password (register your password if that is your first login).
   In case your account was efficiently added to the admin group, a SAML software brand is seen.
4. Select Customized SAML 2.0 software to be redirected to the OpenSearch Service dashboards by SSO with none further login makes an attempt.
   Alternatively, you possibly can skip logging in to the entry portal and straight level your browser to the OpenSearch Dashboards URL. In that case, OpenSearch Dashboards would first redirect you to the entry portal to log in, which might redirect you again to the OpenSearch Dashboards UI after a profitable login, leading to the identical consequence as proven within the following screenshot.

Troubleshooting

Your public-facing IP have to be enable listed by the AWS WAF rule, in any other case a 403 Forbidden error might be returned. Enable listing your IP CIDR vary by way of the AWS CDK alb_waf_ip_whitelist_cidrs property as described within the set up information and redeploy the AWS CDK software for modifications to take impact.

Clear up

While you’re completed with this configuration, clear up the assets to keep away from future costs.

1. On the OpenSearch Service console, navigate to the Safety configuration tab of your OpenSearch Service area and select Edit.
2. Deselect Allow SAML authentication and select Save modifications.
3. After the Amazon SAML integration is disabled, delete the opensearch-domain-saml-integration stack utilizing cdk destroy.
4. Optionally, in case you used the supplied OpenSearch Service pattern AWS CDK stack (opensearch-domain), delete it utilizing cdk destroy.

Conclusion

OpenSearch Service permits enterprise prospects to make use of their most popular federated IdPs comparable to SAML utilizing IAM Id Middle for clusters operating inside non-public VPC subnets following AWS greatest practices.

On this submit, we confirmed you how one can combine an OpenSearch Service area inside a VPC with an present SAML IdP for SSO entry to OpenSearch Dashboards utilizing IAM Id Middle. The supplied answer securely manages community entry to the assets utilizing AWS WAF to limit entry solely to licensed community segments or particular IP addresses.

To get began, consult with How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for additional comparability of OpenSearch Service area in non-public VPC entry patterns.

In regards to the Authors

Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Net Providers. He excels in designing distributed, highly-available software program techniques. Mahdi is devoted to delivering cutting-edge options that empower his prospects to innovate within the quickly evolving panorama within the automotive trade.

Dmytro Protsiv is a Cloud Functions Architect for with Amazon Net Providers. He’s obsessed with serving to prospects to resolve their enterprise challenges round software modernization.

Luca Menichetti is a Large Information Architect with Amazon Net Providers. He helps prospects develop performant and reusable options to course of information at scale. Luca is passioned about managing organisation’s information structure, enabling information analytics and machine studying. Having labored across the Hadoop ecosystem for a decade, he actually enjoys tackling issues in NoSQL environments.

Krithivasan Balasubramaniyan is a Principal Guide with Amazon Net Providers. He permits international enterprise prospects of their digital transformation journey and helps architect cloud native options.

Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search functions and options. Muthu is within the matters of networking and safety, and relies out of Austin, Texas.